Risk Assessment —

Looking back: the five most important security stories of 2012

Flame, everyday devices, Mac malware, passwords, and crypto.

Enlarge/ An overview of a chosen-prefix collision. A similar technique was used by the Flame espionage malware that targeted Iran. The scientific novelty of the malware underscored the sophistication of malware sponsored by wealthy nation states.

The dance among blackhat, whitehat, and greyhat hackers grew ever more intricate in 2012, thanks to a steady stream of exploits, vulnerability discoveries, and data breaches. In-the-wild attacks against Internet Explorer, the Java software framework, and other perennial favorites continued, of course. They inflicted plenty of damage on end users, but given their familiarity, they hardly stood out.

What got our attention were attacks on entirely new classes of devices or victims, or in the case of passwords and cryptography, the culmination of new exploit techniques quickly eroding the protection we once took for granted.

From our perspective, here are the five biggest security stories this year.

Flame espionage malware ushers in the age of cyber warfare

If Stuxnet and Duqu malware represented the dawning of nation state-sponsored computer attacks, the discovery in 2012 of Flame and several other espionage programs ensured electronic warfare wasn't a passing fad.

To security researchers' amazement, Flame remained undetected on high-value computers in Iran and elsewhere for at least two years. Even more impressive were the engineering feats it used to propagate and steal sensitive data. The malware wielded what's believed to be the only in-the-wild "collision" cryptography attack to hijack the Windows update mechanism so it could spread from machine to machine over networks. What's more, the collision attack was carried out using a previously unseen technique, showing it could only have been accomplished by world-class cryptographers.

The growing insecurity of everyday devices comes as engineers endow them with more and more powerful embedded computers. Yet, the device makers fail to incorporate the types of defenses Microsoft and Apple have spent the past decade developing. Expect to see more such hacks in the coming years.

Mac malware goes mainstream

Viruses targeting Macs have been around for decades, but they had always been relegated to a decidedly niche category. That all changed this year as malware targeting OS X users finally went mainstream. Malware dubbed Flashback, which was suspected to be used in click-fraud scams, infected 650,000 Macs by one security firm's estimates. Surveillance spyware that's been common for years on Windows machines also migrated to OS X, particularly in campaigns used to spy on Chinese dissidents.

Crypto attacks get meaner

This year brought about several attacks that undermined cryptographic protections many of us have come to take for granted. The most devastating was an exploit dubbed CRIME that was able to silently decrypt website credentials used to protect e-mail and e-commerce accounts. Short for Compression Ratio Info-leak Made Easy, CRIME was able to defeat the secure sockets layer protections offered on Github.com, Dropbox.com, Stripe.com, and other popular websites until website engineers were privately warned of the vulnerability. CRIME came a year after BEAST, another exploit that also showed the limitations of the SSL and transport layer security protocols. Together these form the basis for virtually all encryption used to authenticate websites and to encrypt data traveling between them and end users.

This year's crypto attacks were by no means limited to SSL and TLS. Researchers also devised an exploit that can extract a secret key from RSA's SecurID 800, which company marketers hold out as a secure way for employees to store sensitive credentials. Attacks against virtual machines also exposed cryptographic keys. This was also the year that researchers in at least two different studies uncovered inadequate encryption protections in apps used by millions of people.

Here is what needs to happen.We need our Operating Systems or Browsers to handle our security. Just like how we can log into sites using our FB credentials, this kind of log in technique needs to be brokered by our operating systems or web browsers.

My Wife uses the password management system that generates hard passwords and stores then locally for you to copy paste into your online accounts. This is Great in theory, but I need something that allows me to access sites from my phone without having to email passwords around or type out so many characters.

Access to sites needs to be granted from a combination of Known Devices and Local Security. I need to be able to manage Known Devices the way firefox sync works; you get two devices in the same room and plug a password from one into the other.

The fact is that people who would crack our accounts usually live in other countries, and local security is by far the safest way to combat this.

Here is what needs to happen.We need our Operating Systems or Browsers to handle our security. Just like how we can log into sites using our FB credentials, this kind of log in technique needs to be brokered by our operating systems or web browsers.

My Wife uses the password management system that generates hard passwords and stores then locally for you to copy paste into your online accounts. This is Great in theory, but I need something that allows me to access sites from my phone without having to email passwords around or type out so many characters.

Access to sites needs to be granted from a combination of Known Devices and Local Security. I need to be able to manage Known Devices the way firefox sync works; you get two devices in the same room and plug a password from one into the other.

The fact is that people who would crack our accounts usually live in other countries, and local security is by far the safest way to combat this.

DropBox + KeePass (on my PC and phones/tablets) works exactly as you want.

Here is what needs to happen.We need our Operating Systems or Browsers to handle our security. Just like how we can log into sites using our FB credentials, this kind of log in technique needs to be brokered by our operating systems or web browsers.

My Wife uses the password management system that generates hard passwords and stores then locally for you to copy paste into your online accounts. This is Great in theory, but I need something that allows me to access sites from my phone without having to email passwords around or type out so many characters.

Access to sites needs to be granted from a combination of Known Devices and Local Security. I need to be able to manage Known Devices the way firefox sync works; you get two devices in the same room and plug a password from one into the other.

The fact is that people who would crack our accounts usually live in other countries, and local security is by far the safest way to combat this.

The one major security hole that the article missed is the recent highlighting of the human factor. Many of the more publicized compromises were the result of people using social engineering to trick customer service drones into granting password resets.

Here is what needs to happen.We need our Operating Systems or Browsers to handle our security. Just like how we can log into sites using our FB credentials, this kind of log in technique needs to be brokered by our operating systems or web browsers.

My Wife uses the password management system that generates hard passwords and stores then locally for you to copy paste into your online accounts. This is Great in theory, but I need something that allows me to access sites from my phone without having to email passwords around or type out so many characters.

Access to sites needs to be granted from a combination of Known Devices and Local Security. I need to be able to manage Known Devices the way firefox sync works; you get two devices in the same room and plug a password from one into the other.

The fact is that people who would crack our accounts usually live in other countries, and local security is by far the safest way to combat this.

I'm a Keepass fan, but I always tell people use a system that works for them, but use *something*, Lastpass, 1Passwod, whatever. The real problem is websites, esp. financial sites that use weaksauce security, like limiting password lengths to 13 or even 10. I also really wished everyone would embrace multi-factor logins ala Google & Dropbox.

I like Keepass over last pass because it's open source and the file is stored locally (ignoring drop box). With lastpass you are taking their word for it when they say your passwords are safe: with keepass you're much more certain. Even if dropbox screws up and releases your files publicly your key db should be inscrutable because you chose a massive pass phrase.

I'm a Keepass fan, but I always tell people use a system that works for them, but use *something*, Lastpass, 1Passwod, whatever. The real problem is websites, esp. financial sites that use weaksauce security, like limiting password lengths to 13 or even 10. I also really wished everyone would embrace multi-factor logins ala Google & Dropbox.

I think twelve characters and up are reasonable. I used KeePass to generate a few 12 character passwords (upper-case + lower-case + numbers) and KeePass claims they average about 69 bits of entropy. If you do the math that's about 6.0 x10E20 combinations. At 10E12 guesses a second, it would take about 19 years to cover them all, or 9.5 years if you get lucky half way.

That might be a danger if you are a major corporate or government, but most hackers aren't going to waste that much effort and power consumption on the average slob.

Here is what needs to happen.We need our Operating Systems or Browsers to handle our security. Just like how we can log into sites using our FB credentials, this kind of log in technique needs to be brokered by our operating systems or web browsers.

My Wife uses the password management system that generates hard passwords and stores then locally for you to copy paste into your online accounts. This is Great in theory, but I need something that allows me to access sites from my phone without having to email passwords around or type out so many characters.

Access to sites needs to be granted from a combination of Known Devices and Local Security. I need to be able to manage Known Devices the way firefox sync works; you get two devices in the same room and plug a password from one into the other.

The fact is that people who would crack our accounts usually live in other countries, and local security is by far the safest way to combat this.

LastPass for iPhone costs 12$ a year. LastPass also only really works with the built in browser, lots of my services use mobile apps like mobile banking.

DropBox + KeyPass I will give a try. Copy pasting is a bit annoying esp every time I want to access a mobile app..

I still think the correct place to implement this is to build security right into the Operating Systems. That is the only way you will get seamless integration.

By local security I mean a couple things: 1: Firefox devices are only synced by having one of my other devices in the same space for a moment of time.2: The most secure way to access my credit card is chip and pin the way Europe does it. Access to my Physical Card and a known password combination. This would work the same way, access to my physical device id such as my iPhone and a pin such as my access code.

Since few months, I started using different passwords for different websites.

For all important eCommerce, Email, and Banking websites and some other important accounts such as FB, I have chosen a particular word with combination of uppercase and lowercase letters, followed by a special character, followed by two digits, followed by two particular characters from the name of the website (e.g. first and fourth characters).

For example, if it were arstechnica,com, my password would be: MainWord&50at; if it were amazon.com, the password would be MainWord&50az and so on. For other sites where I maintain an account just to be able to participate in their forums etc., I use a different main word and different number etc. but the idea remains the same.

re: golmaalHow are you doing? Answering that question leads directly to a fundamental issue in any security discussion: It depends on the attacks you are worried about.

1. If you are worried about mass attacks against large numbers of encrypted passwords from a particular site, then it actually doesn't matter very much if you vary your password from site to site: What matters is the strength of the individual password on the site that's attacked. The only thing that protects you in this scenario is a long password with characters chosen from as large collection of possibilities as possible. Unfortunately, brute force attacks against passwords have now gotten so fast that "long enough" and "enough odd characters" is getting beyond what people can be expected to remember.

2. If you are worried against attacks specifically targeted against you in which an attacker gets your password on *one* site and tries it on others, then your method is pretty good, as given one sample it's unlikely that anyone can guess your method.2a. On the the other hand, now that you've revealed it here ... :-)2b. If an attacker got hold of your password on *two* sites, he'd have you;2c. If this method becomes popular, someone will certainly write a program to take a password gleaned from one site and try variations based on changing the last character, the last two characters, and so on. That would break your scheme pretty quickly.

The unfortunate lessons about passwords of the last couple of years are:- Machines are now so fast that human ideas about "too hard to be practical" can't keep up;- Many people will come up with the same idea (or learn it from others), eventually making something hard to guess into something easy - e.g., replacing letters with look-alike digits adds almost no security because the attackers know that's common and machines will try all those combinations early.

There's another less, though: Security people love to attack users for doing "stupid" things like choosing too-easy-to-guess passwords or using the same password on multiple sites. *Those same security people* then manage to *repeatedly* lose copies of their "safely encrypted" password files. There's a reason beyond the new hardware that passwords have become so easy to attack: Tens of millions of passwords have been "lost" this way, providing the attackers with easy windows into how people in real life construct passwords - and hence shortcuts to attacking them. Attacking passwords "on line" - but sending them to some Web front end and seeing if they work - just plain doesn't work against a site that's been programmed with even a modicum of competence. The workable attacks against passwords *all* rely, on way or another, on the many, many incompetent sites that have managed to leak all their account information.

So don't feel bad about the difficulty in creating a secure, usable mechanism for choosing and remembering passwords. The developers of Web sites have pretty much told you: Here's this nice acre of quicksand. Please build your house on it.

Protect our devices:* Patching programs and the OS should be trivial * the only safe password is the one that is sooooo looooong and complex that yuo cannot possibly type it. KeePassX/KeePass handle this nicely* Don't run crap software like Java, Flash, Shockwave, Acrobat, IE, anything that is constantly having security issues. Or it is just easier to avoid software from Adobe, Oracle, Apple and Microsoft.

Protect our data:* Truecrypt* KeePassX* Always use HTTPS and VPNs

Buy Only Open-Data and Open-OS devices:* If a device has could have multiple uses, but it locked by a vendor for a specific use, DO NOT BUY IT. Locked smart phones and locked tablets are examples. Buy devices that support open data.* Avoid proprietary data formats. Docx, pptx, xlsx, Flash, MOV, .... why not use ODF file formats and open data formats that almost every software in a particular category handles?

Keep Personal Things Personal:* Facebook, Twitter, Foursquare, Google and place that ask you to upload or create content .... why would you do that?* Avoid all social networks since their goal is to get personal data ABOUT you.* Blocking those few websites isn't too hard AND makes the internet much, much quicker.

Don't Support Companies that Routinely Fail to* protect our devices* protect our data* allow us to use the hardware in the ways we like* Let us stay private, if we choose to.* Recent changes to privacy policies are a good hint on how our data is being monetized.* If they want you to use your Real Name - that is a hint.

Of course, there are times and reasons to give up some privacy. We do it all the time for "convenience." As long as it is a conscious choice, fine. It is when companies TAKE AWAY that choice that it should bother each person.